So, while researching some stuff relating to ldapsync, I gained a bit more insight into how the remote username & parent authority work and work together:
1. The only auth plugins that use "remote username" are XMLRPC and SAML (optionally for SAML) 2. These are both services where you *don't* enter your username into the Mahara login form. Instead, you log in via an external service, and then it communicates the username to Mahara during the SSO process. 3. Where "remote username" comes in, is that when a username logs in via one of these processes, it checks for a record in the auth_remote_user table for this authinstance and that username. That record will point to a usr.id value for the Mahara user account that it should authenticate them to. 4. It kinda only makes sense for auth instances where you don't enter the username directly into Mahara. Otherwise, at the login screen, you may find yourself wondering, do I enter my Mahara username, or my LDAP username? Now, how does parent authority work? 1. Only XMLRPC has a parent authority. 2. If a user has that XMLRPC as their auth instance, they can also log in using the parent authority -- and get to the same Mahara account! And vice versa. 3. In terms of user creation, the first time you roam over from the XMLRPC remote server, if the XMLRPC auth instance has a parent, it will create your account with the parent as your authinstance rather than the XMLRPC. 4. On subsequent logins, it checks auth_remote_user for a user with the matching remote username, and either the XMLRPC or its parent as their auth instance, and it logs you in as that user. So, based on this a user will need to set up a remote username if: 1. Their auth instance is XMLRPC 2. Their auth instance is parent to an XMLRPC. (And note that any auth type can be parent to XMLRPC -- even internal) 3. Their auth instance is a SAML with the remote username feature enabled. So, I'm putting together a patch that adds a "needs_remote_username()" method to the Auth class, which will indicate whether a particular auth instance needs a remote username or not. And then we'll display the external username field on the account settings page based on the value returned by that function. I'm also changing the create_user() function so that it automatically checks whether the new user's auth instance needs a remote username and supplies it if so. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1160093 Title: Don't display a remote username on /admin/users/edit.php if no remote username exists Status in Mahara ePortfolio: In Progress Bug description: Per default, Mahara displays the "Username for external authentication" on the user account admin page no matter whether the account has actually set a remoteuser value or not. This is confusing when you want to check if an auth instance works correctly because you will have to check the database (in 2 different places) or at least do a user report which pulls the remotuser value from the "correct" DB table. Mahara should only display a remoteuser if it really exists. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1160093/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
